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Case ID #:(U) 288-CI-68562 (Pending) 

Title:m £s0 MOONLIGHT MAZE 

Synopsis: m Forward to Cincinnati information provided by 

Haverford College. 

<U) 

Enclosures: :u) (M Enclosed for Cincin nati are the origin al and 



•Aione copy of an ^0-302 of interview of and a 

J 5 letter, memo, computer logs and a computer data cartridge 
provided by Nocifore. 
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Investigation conti nuing at NSRA.I 
I — | pen register/trap and trace 
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Date of transcription 


12/16/98 


Academic Planning Office 


in Resources Management and Interim Direction of Computing and 
Information Services, 826 Cathedral of Learning, 4200 Fifth 
Avenue. Pittsburgh. Pennsylvania (PA) 15260, telephone number 

was contacted at his office. 


I was advised of the identity of the investigating Agent 
and the nature of the inquiry. 


b6 

b7C 


,, 1 ___ 

advised that wnen tne requested information nas oeen compiled, he 
b ° c should contact the investigating Agent to arrange for receipt of 

OTHER Sealed Court Documents-* 



This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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288-CI-68562 


Continuation of FD-302 of 


On 0^/H/99 _, Page 


|_|was advised to maintain a copy of this data and 

that he may be contacted for additional assistance in the 
furtherance of this investigation. 

A hard copy printout of this information was not 
furnished at this time due to its voluminous nature. 
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Attn: NI PC-CIU. Room 11887 


SSfl 

Attn: •'"SfA 



Case ID #: 288 r CI-68562 

Title :(U) M MOONLIGHT MAZE 


Synopsis: W) Reporting of lead coverage at University of 

Pittsburgh, Pittsburgh, PA. 

Reference: 01)288-CI-68562 Serial 40 



Enclosures^ J^s(j Enclosed f or FBIHO-NIPC is a copy of an FD-30 2 

rpflpr-hinrr Mig>_infpn7ipi.i n-Ff 


Harmarville, PA on 2/11/99. 


University of Pittsburgh at 


5R Sealed Court Documents_ 

Furthermore, enclosed is an FD-302 for investigation 
on 2/11/99 at Harmarville, PA reflecting interview of 


* 2 ^$- C.\- X- 




IT 


To: NSD, Cl From: Pittsburgh 

Re:(UH^s£) 288-CI-68562, 02/22/1999 


; b ~ J_I TTniverbify of Pi H-flhnrrrh 

be 

hi C | 

OTHER Sealed Court Documents- 


Details ^The above described enclosures represent 
investigation con ducted bv Pittsbu rgh in connection with 
captioned matter, 
is the main point 


at the University of Pittsburgh 
ot contact ana he has been advised to retain a 
copy of the information provided for possible future reference in 
the course of this investigation. 


Pittsburgh considers this lead covered. 
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To: Moscow 

Criminal Investigative 

Baltimore 

Cincinnati 


Attn: 


Leaat 


IRU 1 


From: National Security 

NIPC/CIOS/Ci y/Rm 11719 
Contact: UC 

Approved By: 


Drafted By: 


Case ID #: (U) 288A-HQ-1266830 (Pending) 

(U) 288A-BA-95348 (Pending) 

(U) 288A-CI-68562 (Pending)c^ 


Title: (U) "Moonlight Maze" 


Synopsis: 
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(U) (^NF) 



[ 


Administrative: (U) RE fax from the National Infrastructure 

Protection Center (NIPC) to Legat Moscow on 3/5/1999; teletyp es 
from the NIPC dated 3/ 5/99: and telca ll from Acting UC_ 


Details: 


]NIPC, to ALAT 


on 3/5/99. 
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The FBI and other United States Federal Investigators 
are currently investigating several intrusions into 
government computer systems which appear to be coming 


-3/ 


C'Z- 




SECIJB^/NOFORN 

Moscow From: National Security 
(U) 288A-HQ-1266830, 03/05/1999 


_(U) For information of Legat Moscow, |_| 

Unit Chief, Computer I nvestigation Unit, NI PC, will 
be contacting one of the following on 

Saturday, March 6, 1999, Moscow time, and advise them of the same 
information provided above: 


(U) It is requested that the Legat advise the NIPC 
after contact has been made, the name of the person contacted and 
the reaction to the information provided. 

(U) The NIPC has coordinated this matter with 
Special Agent, Baltimore Division. 1 - 


SECRE’S/NOFORN 







SECRE^TOFORN 


TO: 
Re: 


Moscow From: National Security 
(U) 288A-HQ-1266830, 03/05/1999 


LEAD (s): 

Set Lead 1: 

BALTIMORE 

AT BALTIMORE. MARYLAND 
(U) For information only 
Set Lead 2: 

CINCINNATI 

AT CINCINNATI. OHIO 
(U) For information only 
Set Lead 3: 

CRIMINAL INVESTIGATIVE 
AT WASHINGTON. DC 
(U) For information only 
Set Lead 4: 
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Precedence: PRIORITY 

To: ./Cincinnati 

National Security 


Date: 02/08/1999 


Attn: SA 

Attn: NIP C-CIU. Room lJ. fiRT 

SSA 



From: San Antonio 

Squad 11/Aus tin Resident Agency 

Contact: IA| 

, //Ms- 

Approved! 

Drafted By: 

Case ID # (U| 288-CI-68562 (Pending)-2*1 

Title :i u > £§< MOONLIGHT MAZE 
Synopsis (U) ^ Lead covered. 

m-X 
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OTHER Sealed Court Documents 


Reference 288-CI-68562 Serial 40 
Package Copv:( u ) Isl _Being forwarded under separate cover is 


Details(U) 



♦ ♦ 
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Attn: S OD 4 
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Approved By 
Drafted By: 



Case ID # (U) 288-CI-68562- (Pending)//' 

Title: MOONLIGHT MAZE 


SynopsisLead 3 to Philadelphia covered. 


Reference (U)--Jt® 288-CI-68562 Serial 45 




Details 


Division coverec 


Lead 3 to Philadelphia 


SECRET 














To: Cincinnati From: Mobile 

Re: (U) 288-CI-68562 , 03/17/1999 


(U) In view of the fact that additional investigation 
may be required. Mobile Division, Opelika RA does not consider 
this lead covered. 


♦ ♦ 
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Attn: 

ALATl_1_ 

Attn: 

DAE 


Attn: 

LS 


Attn: 

SA 


Attn: 

SA 
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Case ID #: 288A-BA-95348"" ' (Pending) 

2 88A-CI-68562 ■'^Pending) 

2 8 8A-HQ -1266830-- 3^( Pending) 

Title: MOONLIGHT MAZE 

Synopsis: To provide Legat Moscow with an update regarding the 

deployment of the Moonlight Maze investigative team and to 
request that Legat Moscow assist in obtaining reservations for 
the team's lodging while in Moscow. 


Ad ministrative: 
SSi|_,- 


Reference telcal between ALAT 
on March 
and IRB, SSA 


and 


?9- 1999. 


and te lcal between Mocsow 

Legat|_|and IRB, SSA|_ I on March 31, 1999. 

Reference Electronic Communication dated March 16, 1999, to the 
National Security Division regarding the Moonlight Maze 
Operational Plan. 
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Moscow From: National Security 
288A-BA-95348, 03/31/1999 


Airline travel arrangements have been completed with 
a scheduled departure on April 2, 1999, at 05:10 p.m. Eastern 
time from Dulles, VA, on Delta flight #2772 connecting in Zurich, 
Switzerland, on Delta flight #2850 which arrives in Moscow on 
April 3, 1999, at 3:05 p.m. If investigative coordination with 
the MVD has been completed, the team expects to depart Moscow the 
morning of April 10, 1999, with an arrival at Dulles, VA, at 3:30 
p.m. Eastern time that same date. _ 



Concurrance regarding the investigative teams travel 
have been obtained from the FBI Inte rnational Relations Branch, 
FBI Legat Moscow and U.S. Ambassador _ 

The Moonlight Maze Coordination Team will maintain a 
schedule in the SIOC beginning at midnight on April 4, 1999, EST 
until the deployment team returns. The anticipated hours of 
operation will be from 11:00 p.m. until 6-:00 p.m. EST. 



To: Moscow From: National Security 

Re: 288A-BA-95348, 03/31/1999 


LEAD(s): 


Set Lead 1: 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 04/01/1999 



Case ID #: 288A-HQ-1266830 (Pending) 
288A-BA-95348 (Pending) 
288A-CI-68562 (Pending) 


Title: "MOONLIGHT MAZE" 

Synopsis: To request identification of appropriate SIOC 

operations facilities for Moonlight Maze Coordination Group. 

Details: The Moonlight Maze Coordination Group (MMCG) has been 

verbally advised that the SIOC facility which it currently 
occupies,! |will be required for NATO operations on or about 

April 15, 1999. 

The MMCG is deploying personnel to Moscow, Russia, on April 2, 
1999, in support of the above captioned investigation. In order 
to maintain proper support for the deployed personnel and to 
assure continuity of operations, the MMCG requests that SIOC 
staff identify which SI OC opera tions room the MMCG will be 
assigned after vacating | Rapid identification of this 

facility is requested, as considerable logistical challenges must 
be addressed, including movement of substantial quantities of 
computer hardware and communications gear and dissemination of 
new telephone and fax numbers. 

The MMCG anticipates occupying the newly-assigned facility until 
about May 15, 1999. 
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Date of transcription 


8/4/98 


On July 29, 1998, at approximately 10:30 a.m., FA 
received a call from 


at South Carolina Research Authority, 5300 Interna tional Blvd., 
North Charle ston. South Car olina, telephone number| 
pager number 


This information is in relation to what is hel ievsd hn 
be Foreign Computer Hackers Operating out of Russia. | 
informed FA | | that he believes the Russians entered though 

South Carolina Research Authority (SCRA), computer system and 
then proceeded through the Wright Air force Base computer system. 
After copying a file onto the South Carolina Research Authority 
Computer Networking Company computer, the Russians then copied 
the file over to their system. Before the Russians copied the 
file over to their system, one of the SRA employees copied these 
files and saved the work for future reference. 


be 

b7C 


The address used by the Russians was 25dot m9-3dot dial 
up dot Ore dot ru. The address used to get in the Wright _ 


Patterson Air force Base 







I-1 b6 

_ stated there was an extensive amount of files k?c 

transfer. He felt sure his employee copied all the information 
before the files left the system. This was attempted once before 
with out a breakthrough. 


Investigation on 7/29/98 

at 

CHARLESTON, SC 

(telephonically) 

File# 288-CI-68562 “— 

fj 


Date dictated 08/4/98 





This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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Approved By:|" 

Drafted By: 

Case ID #: 288-CI-68562 (Pending). 

Title: AIR FORCE INSTITUTE OF TECHNOLOGY 

MOONLIGHT MAZE 


Date: 03/24/1999 
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Synopsis: To provide information to receiving office. 

Details: The following information was telephonicallv provided 

to writer by|_|South Carolina 

Research Authority. 

As there is no active investigation in Columbia 
Division, information is provided to Cincinnati for whatever 
action Cincinnati may deem appropriate. 
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Precedence: ROUTINE 


Date: 04/07/1999 


To: London Attn: Legat 

Ottawa Attn: Legat 

National Security Attn: NIPG 

Attn: I 


From: Baltimore 

Squad 14/MMOC 
Contact: SaT 


Approved By: 

Drafted By: _ 

Case ID #: 288A-BA-95348 (Pending) 
288A-CI-68562 (Pending) 
288A-HQ-1266830 (Pending) 


Title: UNSUB(S); 

ARMY RESEARCH LAB - VICTIM; 
INTRUSIONS - INFO SYSTEMS; 
OO: BA 


Synopsis: To provide an update and status of the deployment of 
representatives of the Moonlight Maze Coordination Group (MMCG) 
to Moscow, Russia. 


Details: The primary objective of the MMCG investigative 

operations plan is to provide attribution for prosecution of 
subject (s) in captioned investigation, and to obtain 
investigative assistance ! I Personn el 


from the MMCG will travel to Moscow 


1 


to 


the identification and prosecution of the subject(s) in captioned 
matter. 


Purina the week of 3 /21-26/1 999. the MMCG hosted 


I J 


_in Washington, D.C. The MMCG presented 

five (5) i ntrusion incidents, related to intrusion set (2). to 


and formally requeste d the assis tance of 


support of this investigation. 


departed on i/Ab~7 


and pledged the aggressive investigative support of 
this matter. 


m 

j.999 

in 


i 


i 
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The MMCG team that will deploy to Moscow is comprised of 
two Special Agents and one language specialist from the FBI; one 




To: 
Re: 


London Frotfn Baltimore 
288A-BA-95348, 04/07/1999 


Special Agent and one technical specialist from the Department of 
Defense (DOD); and one Special Agent from the National 
Aeronautics and Space Administration (NASA). This team departed 
from Dulles International Airport on 4/2/1999, and arrived in 
Moscow on 4/3/1999. The MMCG will be staffed sixteen hours per 
day (2300-1800 EST) every day while the team is deployed to 
Moscow. The deployed team will communicate with the MMCG watch 
section to provid e a daily update of developments and 

coordination with_ It is anticipated that this team will 

return to Washington, D.C. on or about April 10, 1999. 




To: 
Re: 


London From: 
288A-BA-95348 


Baltimore 

04/07/1999 


LEAD(s): 

Set Lead 1: 

ALL RECEIVING OFFICES 


For information only. 


♦♦ 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

To: V^incinnati 


I! Xi! 


Date: 04/14/1999 


Attn: 'SA| 

Squad 4 


From: Indianapolis 



Title: (U1 (BSSRElEl MOONLIGHT MAZE 

synopsis: |U| The purpose of this EC is to provide the 

results of requested lead investigation at South Bend, Indiana. 



Reference 


<U) 


1 U) Xs$crExx i) 


288—CI—68562 Serial 40 


Enclosures: 

with copy, documenting the interview of[ 


Enclosed for Cincinnati is one FD-302, 


Indiana University at South Bend, at South Bend, 


Indiana, on 12/16/1998, at which time he provided one 8mm data 
cartridge tape entered into evidence and sent under separate 
cover sent to Cincinnati. 


^ M ? ’i nna fd- 102 . with copy. document ing the 

interview of I ^ I Indiana 

University at South Bend, South Bend, Indiana, on 12/10/1998. 

3) One insert, with copy, documenting 
certain investigation conducted at South Bend, Indiana, on 
12/09/1998. 

Details: (U| Pursuant to referenced serial, the above 

documented investigation was conducted at South Bend, Indiana, to 
include obtaining certain requested evidence. Said evidence was 
forwarded under separate cover previously to Cincinnati. 


(U > Lead covered at South Bend, Indiana. 


be 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 01/13/ 99 


__ ___| Indiana University at 

South Bend (IUSB), North Sidfe Building, Room 0069, 1700 Mishawaka 
Avenue, South Bend, Indiana 46634, telephone number 

was contacted at IUSB-_He was advised as to the identity or the 

interviewing Agent I_ 


^ I _I 

16 

17 C - 

OTHER Sealed Court Documents 


investigation on 12/16/98 at South Bend, Indiana 


File# 288-CI-68562 


Date dictated 


by 


SA^ 


/ J:013wwk06.302 


12/16/98 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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| Facsimile 



I To: 


Special Agent 



1 

Of: 

Federal Bureau of Investigation 



Fax: 

219-233-4574 




Date: 

December 10,1998 






be 

b7C 


From: | 




Of: 

Indiana University South Bend 



Fax: 





Phone: 
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Total of pages including cover: 3 
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..Dec - 10-98 03 : 57P IUSB OIT 


219 237 4846 


Indiana University 
South Bend 


December 10,1998 


Office Of 
Information 
Technologies 



IUSB 


Special Agent 

Federal Bureau of Investigation 
100 E. Wayne Street, Suite 415 

South B end IN 46601 _ 

VOICE: |_ 

FAX: (219) 233-4574 


be 

hlC 


Deal 


It was a pleasure to meet you yesterday when you dropped off the “Application for” 
ensuing Court Order for the information indicated within the Appendix of the Order, 
indicated to you, i would expect that this request for information will require no Sea: 
Warrant at this time until you deem it necessary to go down to the level of the contet 
individual user files. I regard all system files you have requested, and that which w 
gather relevant to your needs, as to be available with no dispute. I will detail some 
complications relative to timeliness of production on some of that which you seek, bi 
can expect our full cooperation. This will be cleared with Indiana University Legal 
Counsel, as well. 


We can readily supply that information sought in Appendix A- items 1,4, and the 85 
employees or the Student ID number (the latter is generally the SSN) This is becaus 
items comprise the relevant information we collect and retain relative to establishme: 
userid for our computer accounts on our locally administered host oit 1 .iusb.edu. Th 
2,3, and the rest of 5 are part of employee/student databases which are officially kep 
housed in Bloomington, (Indiana University) and are not readily available to us in Si 
Bend since we are a centrally administered University system. We do retain some lo 
employee information regarding that sought under 2, 3 and 5, but that can not be rear 
practically joined with our account information within your three day timeline stated 
Court Order, 


It may be an overkill of information gathering at this stage for us, given the nature of 
information directly available to us. I would offer that if the investigation identifies 
problems out of the approximately 11,000 accounts which may be represented in the 
you will receive, that it might be better if we supply you the additional information 
regarding specific targets. Once specific targets have been identified from a prelimin 
investigation, a specific information look-up can be done in very short order, at that t 


Northside Hall 
1700 Mishawaka Avenue 
Post Office Box 7111 
South Bond, Indiana 
46634-71ll 


This suggestion by no means challenges your authority to seek the information nor a 
indicate an unwillingness on our part to supply the requested information, and if our 
suggestion is not satisfactory, we will proceed with gathering that information which 


219 237 4360 
Fax; 219 2.37 


2 



require a few weeks or more of my staff time to construct the complete it formation set for all 
users. 

We shall immediately begin to gather the first set of information, some of which may have 
to wait until Monday, December 14, 1998 for my security officer/system administrator to 
return from a national meeting, T will await your advisement on the above offer before we 
begin the more protracted information gathering work since it is not possible to comply 
within the three days for those items, anyway. 

T believe we can read ily supply Appendix B, items 1 and 2, but the detail in 3,4 and 5 may 
not be collected. Out I will know better about this. It 

occurs to me that the mail logs may be available for that period and may provide 
supplementary information about communication targets by the mail agent. 

I believe we can supply Appendix C insofar as we can supply the items under Appendix B. ke 

Jo 7 

If I understand the request in Appendix D, that information will be contained in the 
information under Appendix A., insofar as information available to us. 

Additionally, I will ask_to offer other logs which may be relevant to the 

investigation you detailed for us in your “application for” and to offer any other suggestions 
we initially observed after the situation had been first brought to our attention. 

We shall begin complying with this order immediately and will await your counsel on the 
suggestion 1 offered above, since l would think it in no way hinders your investigation and 
may well speed up our ability to get the more important logs for your initial inspection. 



For Information Technologies 


CC 
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Precedence: ROUTINE 
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To :v Cincinnati 


Date: 04/21/1999 

Attn: Evidence Control Centei 


Squad 4 


From: Philadelphia 

Newtown Squa re Resident Agency 
Contact: SA| 



Approved By: 

Drafted By: 

Case ID #(U) ^ 288-CI-68562 (Pending) 

Title: (U)-hsj' MOONLIGHT MAZE 


Synopsis : 1U) Forwarding pen register^ 


T 


(U) 


DerrVe^E^om^TG-3 
rssify5n~r 


Package Copy: |U> 



F.nclnsiirpR-* U1 (Vi_Enclosed for Cincinnati aref 


the nen reaisterf 


Details:* 111 Vf _ Philadelphia is forwarding pen register 
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SECRETOJOFORN 

April 15,1999 


RE: (U) "MOONLIGHT MAZE” 

RECENT DEVELOPMENTS • 

(U) On 4/2/1999, the Moonlight Maze Coordination Group (MMCG) deploy ed a team to 
Moscow, Russia, | The team 

consisted of the case agent from FBI Baltimore, a language specialist from FBI San Francisco, a 
supervisory special agent from FBIHQ, a representative from NASA and two representatives 
from Air Force Office of Special Investigations,. 


MMO 


£ 


The MMCG team discussed the details of the intrusio ns previously identified by the 

The MMCG briefed several 


Jinvestigators on the details of the case and requested assistance to determine the origin of 


the intrusions. The team discussed connection data from five computer intrusions involving 
systems from the Army, Navy. NASA, and a commercial Internet Service Provider (ISP'). 
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(U|_[provided the team with a memorandum, of which a transcribed copy is 

attached to this note, which explained that they would present the evidence to the Prosecutor's 
Office for a decision about opening a criminal case. 

_OJ) The M MCG retur ned from Moscow on 4/10/1999. On 4/15 /1999, ALAl] I 

_ contacted! _ Ito obtain an update on their investigation. I 

_During the week of | 

have advised the Leea t that they will provide him with the intruder's identity after they brief 
_replacement and obtain his approval. 

1U) j^NF) Deputy Assistant Director T is scheduled to meet with the NIPC's 

Interagency Senior Coordinating Group on Monday 4/19/1999, to update them on the MMCG's 
activities and obtain information from the intelligence community about any recent intelligence 
collection concerning this matter. 

BACKGROUND 

(U) "MOONLIGHT MAZE" is the code name for a number of investigations of 
intrusions into various military, governmental, educational and other computer systems in the 
United States, United Kingdom, Canada, Brazil and Germany. Field investigations are being 
conducted by the Albuquerque, Baltimore, Cincinnati, Jackson, New Orleans, and Springfield • 
Divisions as Offices of Origin and the Atlanta, Boston, Charlotte, Detroit, Indianapolis, 
Jacksonville, Knoxville, Mobile, New York, Pittsburgh, Salt Lake City, San Francisco, and 
Washington Field Divisions as Lead Offices. The National Infrastructure Protection Center 


FORN 
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(NIPC) is coordinating these investigations with investigators from the Air Force Office of 
Special Investigations, Army, Naval Criminal Investigative Service, Defense Criminal 
Investigati ve Service. National Aeronautics Space Administration. Departm ent Of Energy, Re 
well as thel I The NIPC is also 


_| The NIPC has 

ensured that Legats London, Moscow and Ottawa are advised of the investigation in their 
respective territory. 


(U) These investigations were initiated when intrusions were discovered at Wright 
Patterson Air Force Base (WPAFB), Ohio, and the Army Research Laboratory (AJRL), Maryland, 
and other unclassified military systems, as well as various governmental, commercial and 
educational computer systems in the United States. 



(U) Intrusions into DOE systems include intrusion activity at Los Alamos National 
Laboratory (LANL), Sandia National Laboratory (SNL), Lawrence Livermore National 
Laboratory (LLNL), and Brookhaven National Laboratory. DOE's Computer Incident Advisory 
• Capability (CIAC) has been active in this incident. Activity on DOE systems has been confined 
to unclassified networks. 








(U) On 1/8/1999, Deputy Assistant Director (DAD) Michael A. Vatis and Section Chief 
Kenneth M. Geide briefed Dr. Hamre, updating him regarding captioned matter. 



(U) As of 1/13/1999, the intruder(s) continued to attempt, and in some instance 
succeeded, in intruding into Department of Defense (DOD) computer systems. The intruder(s) 
continues to mainly operate Monday through Friday during European business hours. Notably, 
the intruders) was active on 12/25/1998, a weekday, but was not active on 1/7-8/1999, both 
weekdays and Orthodox Christmas holidays in Russia. 


(S/NF) On 1/13/1999, DAD Vatis hosted a meeting with senior representatives from the 
agencies involved in captioned matter (as victims and/or investigators). The principals who 
attended the meeting were: 


Major General John Campbell, Commander, JTF-CND, DOD 

Ms. Sheila Dryden, Principle Director for Security and Information Operations, Office of 
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Mr. Edward Curran, Director, Office of Counterintelligence, DOE 
Ms. Roberta Gross, Inspector General, NASA 

'J&Ml^The purpose of this meeting was to brief the status of captioned matter and to 
discuss next steps. The attendees were advised: 


Referral/Consult 


• that the NIPC is coordinating the invest igation and a nalysis of "MOONLIGHT 

MAZE" with full participation by DOD, | DOE, NASA, Department of 

Justice 

• that numerous FBI field offices are investigating this matter, collecting evidence 
(primarily transnational data) from the ever expanding number of victims 

• that the NIPC Cyber Emergency Support Team (CEST) is providing technical 
assistance to victim sites and field offices, and is conducting the technical analysis of 
the transnational logs obtained from the victim sites 


H 


Referral/Consult 


L 


that the NIPC is working with Army and Navy to determine the feasibility and 
desirability for setting up an electronic "honeypot" to assist in attributing the intrusions 


• that the NIPC was considering making contact^ 
assistance in resolving this investigation 


b7D 


Ito request 
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On 1/16/1999. investigation determined that an account belonging tc 


_| During an interview of I _ by his 

supervisor, on 1/22/1 999, he adm itted to illicitly downloading files from| using his wife's 

account on 1/15/1999. 1 I stated that he did not know that | ~|was being m onitored 

when he signed onto the "it" account to obtain a copy of the hack er tools. l lonlv had the 

IP address of where the tools were located. Once signed o nto tha | system,_ 

followed the intruder's path, in an effort to locate the tools ] unable to locate the tools in 

a specific directory, subsequently began searching the intruder's directories for files and 
downloaded thre e files to h is machine in Ellicott City, Maryland. FBI Baltimore executed a 

search warrant al_residence, seizing five computers, two of which were owned by 

_employer. The systems are being examined by the Computer Analysis and Response 

Team (CART), Laboratory Division. 


(U) On 1/18/1999, the MPC was notified from the victimized | site in London 

regarding a compromise at the Brookhaven National Laboratory, located in Long Island, New 
York. Also compromised the same day was an Army network located in Vicksburg, Mississippi. 
The compromise was of a super computing center containing Cray and IBM supercomputers. 

The Army CID is determining the damage to the supercomputers. 




(U) On 2/25/1999, the FBI briefed captioned matter to key staff members of the House 


Permanent Select Co mmittee 


Representatives frorrj 
CND) also participated in these briefings. 


'or Intelligence and the Senate Select Committee for Intelligence, 
and DOD's Joint Task Force - Computer Network Defense (JTF- 



what has happened so far (Weldon says the 'electronic Pearl Harbo r 1 of which Hamre spoke last 


year has gone from if to when and the when is today)?" 
somebody at the Pentagon, "on the record about this." 


[would like to speak to 


b6 
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(U) On 2/25/1999, and again on 2/26/1999 


attempted to telephonically contact 


Douglas G. Perritt, Deputy Director, NIPC, in an effort to obtain comment reg arding comments 
attributed to Representative Weldon. Perritt has not responded to | telephone calls. 


(XJ) On 3/1/1999, Defense Week published an article "Hamre to Hill: 'We're.in a 
Cyberwar'," a copy of which is attached, concerning Dr. Harare's testimony. The article does not 
mention the Russian connection, but otherwise captures the gist of Dr. Harare's testimonv. 

_Referral/Consult 
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(U) On 3/4/1999, ABC Nightly News and the ABCNEWS.com web site aired a story 
"Target Pentagon: Cyber-Attack Mounted Through Russia." This report apparently stems from 
the earlier report, on 3/1/1999, by Defense Week, concerning Deputy Secretary of Defense John 
Hamre's testimony on "MOONLIGHT MAZE" before the House National Security Committee 
and the Research and Development Sub-Committee. Other related articles which have also been 
posted on the web are: "US Currently Under Cyber Attack?" posted by AntiOnline on 3/4/1999; 
"Pentagon and Hackers in 'Cyberwar'," posted by MSNBC on 3/4/1999; "Pentagon hackers 
traced to Russia," posted by CNNInteractive on 3/5/1999; "Pentagon 'at war' with computer 
hackers," posted by CNNInteractive on 3/5/1999; and "Electronic Desert Storm," posted by 
AntiOnline on 3/5/1999. The New York Times and New York Times Online also posted two 
articles, "Computer Hackers are Stopped," and "Hacker 'Attacks' On Pentagon May Be More 
Like Espionage," posted 3/5/1999, and 3/8/1999, respectively, regarding this investigation. A 
copy of these articles are attached to this note. Reports of information attributed to interviews of 
Representative Curt Weldon, Chairman, House National Security Committee, and Deputy 
Secretary of Defense Hamre, have also been aired periodically on CNN Headline News since 
3/5/1999. The ABC story reported that "the Pentagon's military computer systems are being 
subjected too ongoing, sophisticated and organized cyber-attacks. And unlike in past attacks by 
teenage hackers, officials believe the latest series of strikes at defense networks may be a 
concerted and coordinated effort coming from abroad." Until Friday, the Defense Department 
had not publicly acknowledged this latest cyber-war. But in an interview with ABCNEWS, 
Deputy Secretary of Defense Hamre, who oversees all Pentagon computer security matters, 
confirmed the attacks have occurred over the last several months and called them 'a major 
concern.' The ABCNEWS article noted that "this is an ongoing law enforcement and 
intelligence matter. Officials believe some of the most sophisticated attacks are coming from 
Russia. Federal investigators are detecting probes and attacks on U.S. military research and 
technology systems — including the nuclear weapons laboratories run by the Department of 
Energy." 

(U) The 3/8/1999, New York Times article stated that "In recent weeks, Government 
officials involved with defense have described a new kind of'cyberwar' being fought on the 
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Internet, with unknown hackers unleashing relentless assaults on military computers." This 
article noted that"... some computer security experts stress that while the hacker activity that 
the House heard about is a potential threat, calling it an attack could be an overstatement." This 
article also noted that "The Pentagon has said that, as is the case with the vast majority of 
hacking attempts, the recent probes did not result in the penetration of any computers storing 
sensitive information." Representative Weldon is quoted as stating "We know of banks who've 
had their fire walls broken and money transferred out, and they're not going to talk about it." 
Representative Weldon noted that the private sector needs to cooperate more with the 
government "in this area." 


(U) In light of the press coverage, the consensus a mong the participating agencies was 


that we had no real choice but to go directly to 


with a request for assistance to 


investigate selected intrusion activity captured during this investigation. The NDPC, worki ng 
with the Department of Justice and other Federal Investigative Agencies. _ 


T he MMCCi. described below, prepared an operations' 


plan, which was subsequently approved. 


Ref <= 


(U) In spite of the ABC story on 3/4/1999, intrusions continued. On 3/5/1999, between 
0228 and 0906 Eastern Standard Time (EST), there were two intrusions into LLNL, one 
intrusion into Lawrence Berkeley Laboratory (LBL), and one intrusion into Argonne National 
Laboratory passing through Jefferson County Library 
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These intrusions are consistent with other intrusions associated with "MOONLIGHT 


b7E 


MAZE." These intrusions are significant in that they occurred well after the national press 
releases regarding the "MOONLIGHT MAZE." 

(U) On 3/1/1999, the MMCG was established to strengthen the focus and assessment of 
the intrusion activities related to this investigation. The MMCG is composed of forty personnel 
from the following law enforcement, intelligence and Computer Emergency Response Teams 
(CERT) organizations: JTF-CND, DISA, Department of Justice (DOJ), Department of Energy 
(DOE), National Aeronautical and Space Administration (NASA), Air Force Office of Special 
Investigations (AFOSI), Naval Criminal Investigative Service (NCIS), Defense Criminal 
Investigative Service (DCIS), US Army Criminal Investigative Divi sion (USACID), US Army 
Military Intellig ence (USAMI), Defense Intelligence Agency (DIA), Referral/Consult 

Air Force Information Warfare Center (AFIWC), Navy CERT, Army CERT, ' 


FBI Baltimore, Eurasian Section, National Security Division and the NIPC. 


b7D 


£U) On 4/2/1999, a team from the MMCG deployed to Moscow, Russia to world 


[this matter. The team returned to Washington, D.C. on 4/10/1999. Prior to departure, 

n. 

R 

J 


b7D 


the team OPPiiriHr'krip-fi-nrrg ftv\m TTRITTO comirlfi: r>orPr>rmo 1 ond T> ; 

Referral/Consult 

Managers, 

Concurrence regarding the investigative teams travel have been obtained from the FBI 
International Relations Branch (ERB), Legat Moscow and U.S. Ambassador Collins. 

(U) I will keep you apprised of significant developments regarding this matter. 
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DATE: 07-10-2012 

FBI INFO. 

CLASSIFIED BY 60324/UC fb aw/sab/aio 
REAS01: 1.4 [b) 

DECLASSIFY OH: 07-10-2037 


ALL INFORMATION CONTAINED 
HEREII IS UNCLASSIFIED EXCEPT 
WHERE SHOOT OTHERWISE 


S^S^ET 

FEDERAL BUREAU OF INVESTIGATION 


Precedence: PRIORITY 

To: National Security 

Moscow 


Date: 


05/07/1999 


Attn: NIP G-CIU, Room 1 1887 


SSA 


Attn: Leg l slf 

Alat 


From: Cincinnati 

Squad 4 

Contact: 


S A 





hlD 


r 'C‘hi 


Details: For the information of Legat Moscow, and by way of 

brief background, captioned matter is a code name involving 
unauthorized intrusions into sundry military, governmental, 
educational and other computer network systems throughout the 
United States, United Kingdom, Canada and Europe. The National 
Infrastructure Protection Center (NIPC), located at FBIHQ, is 
coordinating these investigations with FBI Field Offices with 
pending Field investigations, and with investigators from other 
U.S. Government Agencies. 
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To- National Security From: Cincinnati 
Re|U)-«Q 288-CI-68562, 05/07/1999 


(U1 03^ The unauthorized computer intrusions were 
initially discovered at Wright Patterson Air Force Base (WPAFB), 
Dayton, Ohio, and the Army Research Laboratory (ARL), Maryland. 


With respect to the Cincinnati Division's 
investigation of captioned matter, the intrusions into WPAFB went 
through the University of Cincinnati (UC) . Cincinnati. Ohio._ 



of the intrusions and were requested to assist in determining the 













To: National Security From: Cincinnati 

Re: (U) 288-CI-68562, 05/07/1999 



LEAD (s): 
Set Lead 1: 


MOSCOW 


AT MOSCOW, RUSSIA 

< U > X d> = 

Moscow follow up on SA 


nni rvn^t-i respectfully requests that Legat 
case summary presentation of 


captioned matter. Enclosed computer evidence logs are f or the 
benefit of Leaat Moscow to assist in their investigation ! I 


log records 


(D) /W 


J2L 


_Lefla,t Moscow' is requested to obt ain compute r 
Original evidence procured £"*" 


is to be sent to the Cincinnati Division for proper 


dissemination and storage. 


^ (3) Copies of all correspondence I 

should be directed to the NIPC Unit and the Cincinnati Division. 
Cincinnati appreciates Legat Moscow's assistance in this matter. 


be 
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To: Criminal Investigative 

National Security 
Ba ltimor e 
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Attn: IRU-1, SSJj 

Attn: NIPC, SSA 


From: Moscow 

Contact: 
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Approved By: 
Drafted By: 
Case ID #: 


Title: (U) 


6J 


(u) 

(U) 

(U) 


288A-HQ-1266830A (Pending) 
2 8 8A- BA- 9534 S-'W; Pending) 
288A-CI-68562^ , (Pending) 
1ST? 

MOONLIGHT MAZE 
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Synopsis:(U) ^^NF) Use of information in referenced EC. 
< u > >£/NF) 


Reference: (U) 288A-HQ-1266830 Serial 56 

Details;^ £s(^NF) Referenced EC from Moscow dated 6/28/99 _ 

reported the re sults of interviews with personnel I I 

[ concerning captioned matter. On 7/8/99 Legat 
Moscow received a fax requesting how that information could be 
used and reported. 



^ jX/'NF) Referenced communication was classified 
SECRET/NOFORN in keeping with other communications received from 
FBIHQ. Obviously, dissemination should be in accordance with 
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To: Criminal Investigative From: Moscow 

Re: (U) 288A-HQ-1266830, 07/08/1999 




LEAD (s) : 

Set Lead 1: (Adxn) 

ALL RECEIVING OFFICES 

(U) Read and clear. 
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Precedence: PRIORITY 

To: All Field Offices 
National Security 

From: Newark 


Date: 10/06/1999 



Attn: 

Attn: 


ADIC; 
SAC 
SSA 


NIPC/CIOS/CIU (Room 11719) 


Contact: 


Approved By: 




Drafted By: 
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Case ID # j 


Title: 


288A-NK-99660 (Pending) 
288A-HQ-1281779 (Pending) 

__ 


UNSUB(S), AKA VICODINES; 

ET AL; 

MELISSA VIRUS; 

IMPAIRMENT - INFO SYSTEMS; 

Synopsis: To request all field offices to gather and report 

damages to victims infected by the Melissa Macro Virus. 

Details: For information of receiving offices, the Newark 

Division is requesting the assistance of all field offices in 
identifying and reporting damages caused by the Melissa Macro 
Virus ("MMV") to corporations, organizations and agencies, 
including federal, state and local government, in their 
respective territories. The following is a summary of 
investigative activities and developments pertaining to the 
ongoing investigation of the MMV: 

On 3/26/99, the MMV was proliferated on an America 
Online ("AOL") network news server through a posting to the 
alt.sex new sgroup using a stolen AOL account belonging to the 


screen nameQ_| An attachment to the posting contained 

names of alleged "cracked" pornographic websites. The newsgroup 
posting contained a file called list.zip which contained a 
document called list.doc. 'The list.doc document contained the 
MMV. The MMV infected those using Microsoft Windows, and 
Microsoft Word, Outlook and Outlook Express. MMV was coded to 
send an infected document to the first (50) addresses in each 
users email address book. The compounding effect of MMV 
proliferation caused many email servers throughout the U.S. and 
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rest of the world to crash. Systems administrators and 
Information Technology personnel scrambled to mitigate the 
effects of MMV on their systems. 


On 4/1/99, the Newark Division and the New Jersey State 
Pnl i ne—(NJSP)—Hirrh Technology Crime Unit arrested | 

_I pursuant to a state of New Jersey 

arrest warrant obtained from Monmouth County Superior Court Judge 

___| was charged with second degree 

offenses of interruption of public communication, conspiracy to 
commit the offense and attempt to commit the offense, third 


degree theft of computer service, and third degree damage or 
wrongful access to computer systems relating to the propagation 
of the computer macro virus kno wn as “M KT.TSSA” . Earlier that 
evening, prior to the arrest of | | the Newark Divisio 

the NJSP executed a state of New Jersey search warrant at 
residence 



The initial information leading to the arrest and 
execution o f search warrants came from America Online, Inc., 

Dulles, VA, _ contacted the State 

of New Jersey Attorney General’s Office with lead information 
with respect to MELISSA. The State Attorney General’s Office 
enlisted the NJSP High Technology Crime Unit who in turn enlisted 
the assistance of the Newark FBI NIPC squad. 



The District of New Jersey U.S. Attorney’s Office and 
the Attorney General’s Office for the state of New Jersey 
anticipate returning simultaneous indictments on or about October 
31, 1999. To aid the prosecution, it has been requested that 
Newark obtain detailed victim information relating to damages 
caused by the Melissa Macro Virus. This information is critical 
to the prosecution of captioned subject(s). 


Ques tions regardin g this communication should be 
directed to SA Newark Pi vi hi nn’« NTPP Squad at 

Franklin Township ra, telephone 


2 







To: All Field Offices From: Newark 

Re: 2 8 8A-NK-99660, 10/06/1999 
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LEAD (s): 

Set Lead Is 

• ALL RECEIVING OFFICES 


Newark requests all field offices to identify victim 
corporations, organizations and agencies, including federal, 
state and local government, in their respective territories 
infected by the Melissa Macro Virus ("MMV"). Newark recognizes 
that this is an inherently difficult task and asks field offices 
to utilize liaison contacts, including those developed through 
the Key Asset and InfraGard Programs where applicable. Field 
divisions are also asked- to identify and follow-up on'any 
complaints previously received relating to MMV and report those 
instances to Newark. If necessary, Federal Grand Jury subpoenas 
will be made available when requested. 

Victims should report, in dollars, their best 
calculation of the damages caused by MMV. Victims may be asked 
to verify their reported damages in federal court. Information 
requested should detail the nature and extent of damages caused 
by MMV including, but not limited to, the following areas: email 
servers, desktop computers and other computer hardware affected; 
computer system downtime; personnel time, including overtime, for 
corrective action; lost productivity; lost contracts and missed 
business opportunities; diminished profits; consulting expenses; 
infrastructure costs; lost customers; and sensitive data leakage. 


Set Lead '2 : 

NATIONAL SECURITY 

AT WASHINGTON. DC 
NIPC/CIOS/CIU - Read and clear. 


♦ ♦ 
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RUSSIAN HACKERS MAY HAVE PULLED OFF WHAT COULD BE THE 
MOST DAMAGING BREACH EVER OF U.S. COMPUTER SECURITY 


By Gregory Vistica 

I t’s BEING CALLED 
“Moonlight Maze,” an ap¬ 
propriately cryptic name 
for one of the most poten- 
jj tiallydamagingbreachesof 
; l American computer security 
1 S ever—serious enough for the 

( Department of Defense to or¬ 
der all of its civilian and mili¬ 
tary employees to change their 
j computer passwords by last 
| month, the first time this pre- 
'i caution has ever been taken en 
; masse. The suspects: crack cy- 
j berspooks from the Russian 

\ Academy of Sciences, a _ 

\ government-supported 
\ oiganization that inter¬ 
im acts with Russia’s top 
l militaiy labs. The tar- j 

l gets: computer systems j 

S attheDepartmentsof j 

I Defense and Energy i 

| military contractors and lU gj 
\ leadingeivilianuniver- gjmB 
\ sides. The haul: vast | sfig 
jj quantities of data that, fSB 
l intelligence sources °lSS 


familiar with the case tell 
Newsweek, couldinclude 
classified naval codes and in¬ 
formation on missile-guid¬ 
ance systems. This was, Penta¬ 
gon officials say flatly, “a 
state-sponsored Russian intel¬ 
ligence effort to get U.S. tech¬ 
nology”—as far as is known, 
thefirstsuch attempt ever by 
Russia. Washington has not 
yet protested to Moscow. But 
DeputySecretary ofDefense 
John Hamre, who has briefed 
congressional committees on 
I the investigation, has told col- 
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NEWSWEEK SEPTEMBER 20, 1999 


~JB H Afterthat, “we’re notcertain 

|| |pl where they went,” says GOP ■ 

Si! y \kff Rep. Curt Weldon, who has 

3 held classified hearings on 

* Moonlight Maze. 

As a federal interagency 
task force begins its damage 
RF THE assessment, a key question is 

»t I nt whether the Russians man- 

RUY aged to jump from the unclas¬ 

sified (although non-public) 
systems where they made 
leagues: “We’re in the middle their initial penetration into 

ofacyberwar.” the classified Defense Depart- 

In a cyberwar, the offensive ment network that contains 

force picks the battlefield, and the most sensitive data. Ad- 

the other side may not even ministration officials insist 

realize when it’s under attack. the “firewalls” between the 

Defense Department officials networks would have pre¬ 
believe the intrusions, which vented any such intrusion, but 

they describe as “sophisticat- other sources aren’t so sure, 

ed, patient and persistent,” Besides, one intelligence offi- 
began at a low level of access cial admitted, classified data 

in January. Security sleuths often lurk in unclassified 

spotted them almost immedi- databases. With enough time 

ately and back-hacked” the and computer power, the Rus- 

source to computers inRus- sians could sift through their 

sia. Soon, though, the attack- mountains of pilfered infor- 

ers developed new tools mation and deduce those se- 
that allowed them to crets they didn’t directly steal, 

enter undetected (al- That’s one more thing to wor- 

though they sometimes ry about, although security 

left electronic traces officials admit that they have a 

that could be recon- more pressing concern. The 

structed later). Intelli- intruders haven’tbeen spot- 
gence sources say the ted on the network since May ( 

i -* 1 perpetrators even 14. Have they given up their j 

gained “root level” ac- efforts-or burrowed 

cess to some systems, a so deeply into the network 
depth usually restricted that they can no longer even I 

to a few administrators, be traced? 

M<f/9 - <2-^ - - /&7 
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S^BS^r/N OFORN 

Chinese hackers to enter the country's security systems. "We have set up a round-the-clock 
monitor system and installed various security programs and firewalls to keep the Chinese 
Communists from trying to disrupt our networks," said Chang Chia-sheng, the defense ministry's 
cyber information head. The military and security networks are independent with no links to the 
Internet, making it difficult for Chinese hackers to sabotage, Chang said. Taiwan's security 
authorities have discovered more than 7,000 recent attempts by Chinese hackers to enter the 
island's security and military systems through Internet Web sites, Chang said. 

Military - NTR 


U.S. SECTOR INFOBMATION: 


Banians and Finance - (U) (Newsbytes, 7 March) Although some reports seem to indicate that 
online banking is not having the acceptance once predicted for this online service, a recently 
released report to an Independent Community Bankers of America conference by Grant Thornton, 
LLP, a major accounting and management consulting firm, states that community banks recognize 
the need to use the Internet to serve and retain customers. In an interview with Newsbytes, Linda 
Garvelink, director of marketing for financial services at Grant Thornton, defined "community 
banks" as those which are focused on their local communities, are independent in attitude and 
direction, and generally have assets under $10 billion. The banks participating in the survey have 
average assets for 1999 of $195 million, and nearly two-thirds are privately held. The Grant 
Thornton survey found that, by the end of2000,78 percent of community banks will have a Web 
site - a substantial increase from the 55 percent that had Web sites at the end of 1999. 

Telecommunications - NTR 

Electric Power- NTR 

Transportation - NTR 

Gas & Oil Storage Distribution - NTR 

Water Supply - NTR 

Emergency Services - NTR 

Government Service - NTR 

SECTION B - INTRUSION INCIDENT REPORTING / LAW ENFORCEMENT 
SENSITIVE (Information in this Section is for FBI use, controlled by the originator, and not to 
be disseminated without the written approval of the NIPC) - NTR 

SECTION C - CLASSIFIED 

(U) j^NF) (JTF-CND, 7 March) JTF-CND J2 assesse s that the series of intrusions investigated as 
Moonlight Maze is more than likely a manifestation 
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To : Cincinnati 

From: Cincinnati 

Squad 4 

Contact 

Approved By: 

Drafted By: 


Date: 03/28/2000 


Attn: ECT 



Case ID #(11) ^ ,2*88A-CI—68562 " (Pending Inactive) 


Title (U) ^ MOONLIGHT MAZE 

Synopsis: Explanation for tardiness of evidence returned to 
the Cl Division's evidence storage room beyond the ten day rule. 


b6 
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(U) ra) Dertve&Jj^OJ^-:—G-3 

^ x jleolaSsifySir:—-~3CL_ 

Details^ "K For information of the file, pursuant to a review 
of all pending Cl Division cases with evidence collected, instant 
communication addresses the reason for collected evidence 
returned to the Cl Division's evidence storage room beyond the 
ten day rule. 

(U) a review of the Chain of Custody, FD-192, reveals 

that the collected evidence was returned to the United States Air 
Force Office of Special Investigations (AFOSI), upon learning 
that the Cl FBI Division did not have the capability to duplicate 
working copies of computer data disks and cartridges. As a 
result, the collected evidence was furnished to AFOSI and was 
sent to a computer laboratory in Washington D.C. for analysis 
prior to its return to the Cl FBI Field Office for proper 
storage. 



The aforementioned response unequivocally explains 
the short delay in returning collected evidence to the Cl 
Division's storage room. 


♦♦ 
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To: 


ncii 


ncinnati 


Date: 10/10/2000 


Prom: Cincinnati 

Squad 4 
Contact: SA 


Approved By: 
Drafted By: 
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Case ID #:(U) 288A-CI-68562 (Pending Inactive) 

Title (U) MOONLIGHT MAZE 

Synopsis:^ Claiming statistical accomplishments concerning 

captioned matter. 

(U) 

Details : (U| £s£ During the course of captioned investigation which 
was initiated at the Cl Division, commencing in the summer of 
1998 and extending up and through the years 1999 and 2000, 
several statistical accomplishments were earned. It was not 
until the introduction of the new FD-542 form that these 
accomplishments could be highlighted and claimed as statistical 
accomplishments. Statistical accomplishments claimed are as 
follows: 




&) i- 


(U) XJ 2. Initiation of Non-DA Joint 
Operation/Investigation (stat previously claimed, Serial 27). 

3. | 

_ M 4 . I 


(U) 5 . Eleven (11) NIPCIP 2703(f) Orders obtained. 


ET 




This EC: 




toifefe 


Is OK % Upload 


-/// 
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To: Cincinnati From: Cincinnati 

Re:[U)(M 288A—CI-68562 , 10/10/2000 


WSU. 


(U)--£g£ 6. Two (2) NIPCIP 2703 (f) Orders served at UC and 


(U) 


A 7. 


Pen Register/Trap and Trace 


(U) hgf 8. One (1) NIPCIP Foreign Source IP Address 
Identified. 


Person). 


(U) ^ 9. one (1) NIPCIP Subject Identified (Non-US 


5iM. 


10. One (1) NIPCIP Subject Tool/Exploit/Malicious 
Code Identified. 

11. Ten (10) or more Positive Intelligence 
Reported/Disseminated to U.S. Intelligence community. 
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To: Cincinnati From: Cincinnati 

Re-.™ £>£ 288A—Cl —68562 , 10/10/2000 


Accomplishment Information: 

Numbe r: 11 _ 

Type: I I 

ITU: LIAISON WITH OTHER AGENCY 

ITU: NIPCIP 

Claimed By:_ 

SSN: 

Name: |_ 

Squad: 4 

Number : 2 _ 

Type: 

ITU: LIAISON WILti other AcEticV- 

ITU: NIPCIP 

Claimed By:_ 

SSN: I 

Name: |_ 

Squad: 4 

Number: 11 

Type: NIPCIP 2703(f) ORDER SERVED 

ITU: LIAISON WITH OTHER AGENCY 

ITU: NIPCIP 

Claimed By: 

SSN: I 
Name: 

Squad: 4 


Number: 2 

Type: NIPCIP PEN REGISTER TRAP AND TRACE SERVED 

ITU: LIAISON WITH OTHER AGENCY 

ITU: NIPCIP 

Claimed Byj_ 

SSN: I 

Name: |_ 

Squad: 4 


Number: 1 

Type: NIPCIP FOREIGN SOURCE IP ADDRESS IDENTIFIED 

ITU: LIAISON WITH OTHER AGENCY 

ITU: NIPCIP 


Claimed By 
SSN: 
Name: 
Squad 
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To: Cincinnati From: Cincinnati 

Re:(U) 288A-CI —68562 , 10/10/2000 



Number: 1 

Type: NIPCIP SUBJECT IDENTIFIED 

ITU: LIAISON WITH OTHER AGENCY 

ITU: NIPCIP 

Claimed By:_ 

SSN: 

Name: 

Squad: 4 


Number: 1 

Type: NIPCIP SUBJECT TOOL/EXPLOIT/MALICIOUS CODE IDENTIFIED 

ITU: LIAISON WITH OTHER AGENCY 

ITU: NIPCIP 


Claimed By r 
SSN: 
Name:) 
Squad 


Number: 10 

Type: POSITIVE INTELLIGENCE (DISSEMINATED OUTSIDE FBI) 

ITU: LIAISON WITH OTHER AGENCY 

ITU: NIPCIP 

Claimed By.:__ 

SSN: 

Name: |_ 

Squad: 4 
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To: /Cincinnati 

From: Philadelphia 

Newtown Squa re Resident Agency 
Contact: SA| 

i 

Approved By: 


Date: 03/01/2001 
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Drafted By: 

Case ID #: 288A-CI-68562''’’ (Pending) 

288-PH-C85787 SUB E (Pending) 

Title: MOONLIGHT MAZE 

Synopsis: Report statistical accomplishments. 

Details: 


[ 


PpcH .qt-R-r/Tran and Tracef 


I a Pen~ 
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To: 
Re: 


Cincinnati Tfom: Philadelphia 
288A-Cl-68562, 03/01/2001 


ft 


tf 


Accomplishment Information: 


Numbers_3_ 

Type: 

ITU: 

Claimed Bv : 

SSN: 

Name: |_ 

Squad: NSRA 


Number: 1 

Type: NIPCIP PEN REGISTER TRAP AND TRACE SERVED 

ITU: NIPCIP 

Claimed By.:_ 

SSN: 

Name: |_ 

Squad: NSRA 
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To: 
Re: 


Cincinnati 
288A-CI-68562, 




Philadelphia 
03 / 01/2001 


LEAD(s): 

Set Lead 1: (Adm) 
CINCINNATI 

AT CINCINNATI 
Read and clear. 

cc: SSA 

SQ V - 

♦♦ 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 01/09/2008 

To: Cincinnati Attn: __I 

Attn: ECT | 


From: Cincinnati 

Squad 13 

Contact: L 



Approved By: 

Drafted By: 

Case ID #: 288A-CI-68562 (Pending Inactive) — 1 \ (o 

Title: AIR FORCE INSTITUTE OF TECHNOLOGY 

MOONLIGHT MAZE 


Synopsis: To reassign case. 


Ttetai 1 


this case is being reassigned to SA 


s: Per SSA 

for the purposes of disposing of pending evidence. 
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To: 
Re: 


Cincinnati I^^m: Cincinnati 
288A-CI-68562, 01/09/2008 


LEAD (s) : 

Set Lead 1: (Action) 


CINCINNATI 

AT CINCINNATI, OH 


Please coordinate with ECT 
of all pending IB's. 

Set Lead 2: (Info) 


Jto properly dispose 


CINCINNATI 

AT CINCINNATI. OH 
Read and Clear. 
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ORIGINAL 


ALL IHFOmiATIOM COHTAIHED 

HEREII IS IWCLASSIFIED 

DATE 07“11"2012 BY 60324/UC/baw/sab/aio 


288A-CI-68562 

■^JK:jk 
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Agent 


The follow ing investigation was conducted by Special 
on January 10, 2008, at Cincinnati, Ohio: 


Task Force Officer 


The inve stigating Agen t spoke telephonically with 


United States Air Force 


Office of Special Investigations, concerning the disp osal of 
evidence associated with the above case number. TFO 


reported that she would confer with her evidence handling 
personnel to determine proper steps for the disposition of 
this evidence. 
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DERIVED FROM: G-3 FBI Classification Guide G-3, dated 1/97, Foreign 
Counterintelligence Investigations DP'I' ~TTY Mi 1 'Tilinilii I i i i ~i~ 




TMs email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they 
are addressed. If you have received this email in error please notify 


the system manager. 


This footnote also confirms that this email message has been swept by 
MIMEsweeper for the presence of computer viruses. 


www.mimesweeper. com 
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ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED 



DATE 07“11™2012 BY 60324/UC/haw/sab/aio 

(Cl) (FBI) 

From: 

(Cl) (FBI) 

Sent: 

Mnnrlav -lannarw Ofl OQQg -] -| 3g ^ 

To: 


[CD (FBI) 

Subject: 

RE: Evidence Checks 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


CI-75935 - Do not Close - SA 
CI-75975- Do Not Close- SA 
CI-71802- Do Not Close- SA 


el-75438- Do Not Close- SA 
CI-73956- Do Not Close- SA 
CI-68562- Do Not Close- SA^ 


has 15 hard drives and one DVR remaining in this case. 
|has 21B items remaining paper/CPU 
has 22 items remaining in this case 


has four 1B that contain CPU/CD/paper items/index cards 
|:his case requires an EC to destroy lB 3,4-cd, 5-cds, 8, 9,10; 


Jjust had this case reassigned to him to dispose of the evidence 


lB 1,2,4,5-camera,6,7 


CI-76878- Okay to Close- SA 


has taken care of all the 


evidence in this case. 


If you have any other questions please email me. 
Thanks for checking 




From: 

Sent: 

To; 

Subject: 


I ren (fbi) 

Mnnriav, lanuaiy 28, 2008 10:07 AM 
K CI) (FBI) 
tvidence Checks 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


-b6 

b7C 


Can you please check the following cases for pending evidence: 

196E-CI-75935 

305B-CI-75975 

288A-CI-71802 

305C-CI-75438 

305A-CI-73956 

288A-CI-68562 

305C-CI-76878 

Thanks, 


tow 
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SST - Cincinnati CYBER Squad 13 
Desk | H 

Fax-fiia-fi6a-s6so __ 
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"Be more concerned with your character than with your reputation, because your character is what you really are , 
while your reputation is merely what others think you areJohn Wooden 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 02/05/2008 

To: Cincinnati Attn: Evidence Cu stodian 

ASACl 




From: Cincinnati 



Title: MOONLIGHT MAZE; 

Synopsis: To order destruction of stored evidence. 

Details: Following discussions with Air Force Office of 

Special Investigations Special Agent in which 

no objections were lodged and consultation witn cnier Division 
Counsel Michael Brooks, evidence items 1B1 through 1B16 
inclusive are ordered destroyed. These items consist of 
documentation and computer disks related to the instant case. 
All have been in storage since before the turn of the century. 
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To: 
Re: 


Cincinnati 



Cincinnati 


288A-CI-68562, 02/05/2008 



LEAD(s): 

Set Lead 1: (Action) 

CINCINNATI 

AT CINCINNATI. OH 

Evidence Custodian should destroy the evidence items 
described above. 

♦♦ 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 02/22/2008 

To: Cincinnati 


From: Cincinnati 



Title: MOONLIGHT MAZE; 


Synopsis: To close case. 

Reference: 288A-CI-68562 Serial 120 

Details: Per the referenced Serial, all evidence collected 

during this investigation has been destroyed. All 
investigative activity is complete and this case should be 
closed. 

♦♦ 
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